In 3ad9d10, the following was added to source3/modules/vfs_full_audit.c:
@@ -606,7 +614,9 @@ static int smb_full_audit_connect(vfs_handle_struct *handle,
}
ZERO_STRUCTP(pd);
+#ifndef WITH_SYSLOG
openlog("smbd_audit", 0, audit_syslog_facility(handle));
+#endif
I believe that to be a typo and it should rather be like this:
diff --git a/source3/modules/vfs_full_audit.c b/source3/modules/vfs_full_audit.c
index e4d9599..cb03413 100644
--- a/source3/modules/vfs_full_audit.c
+++ b/source3/modules/vfs_full_audit.c
@@ -617,7 +617,7 @@ static int smb_full_audit_connect(vfs_handle_struct *handle,
return -1;
}
-#ifndef WITH_SYSLOG
+#ifdef WITH_SYSLOG
openlog("smbd_audit", 0, audit_syslog_facility(handle));
#endif
This is in 3.5 as well as 3.6 (not in 3.4 or earlier); a fix in both branches would be appreciated.
Severity set to major because it dearly breaks setups where log sorting is based on this particular syslog tag, thus rendering the audit log moot at best, which sort of defeats the purpose of audit logging in the first place.

Comment on attachment 6488[details]
git-am fix for 3.6.0
This patch is wrong (although it's in master in this form). The idea is to not call openlog twice: In debug.c we already did under a different name.
Jeremy, what do you think?